Industry | Have you been bombarded by text messages?Fully decipher this new type of crime

Phone calls and text messages are normal functions, but in recent years, they have been used by criminals and become a new type of technical means to attack others. Mobile phone users are “bombed by communication” and harassed by text messages and phone calls. Vicious incidents more and more. Recently, the Internet Police Detachment of the Guangzhou Municipal Public Security Bureau and the Baiyun District Public Security Bureau jointly investigated and destroyed a new type of criminal gang that used the Internet to set up a “24 Cloud Call” platform to interfere with mobile phone communications.

Police arrest suspect of “24 Yunhu” gang

“Call to death” harassing residents 26 yuan can exhale 5,000 times

Ms. Luo from Panyu District, Guangzhou reported to the police that she always received strange calls. These strange calls would ring three or five times a minute, and hang up every time they ring. Ms. Luo, who works in sales, is miserable.

Guo Pusheng, a policeman from the Baiyun Branch of the Guangzhou Public Security Bureau, introduced that after investigation, it was found that Ms. Luo was attacked by a malicious software called “24 Yunhu”, which “bombed” the victim by controlling on-hook mobile phones all over the country. With the software “developer” as the source, it forms a complete black industrial chain with “operators”, “agents” and “users”. “Cloud Call” users can make 5,000 malicious calls by purchasing a recharge card from an agent and recharging 26 yuan on the platform.

The Internet Police Detachment of the Guangzhou Public Security Bureau and the Baiyun District Public Security Sub-bureau finally caught a new type of criminal gang that used the Internet to set up a “24 Cloud Call” platform to interfere with mobile phone communications. Four suspects were arrested and “24 Cloud Call” was seized “There are more than 3,700 accounts. It is understood that since the “24 Cloud Call” platform was launched in November 2020, more than 5.86 million calls have been made.

The on-hook mobile phone of the criminal gang

Text bombing of black products to upgrade crime costs less than 50 yuan

Like Ms. Luo in the case, there are not a few people who received thousands of unfamiliar phone calls and text messages from all over the country in one day. In recent years, some criminals have used “communication bombing” to make malicious calls to carry out illegal and criminal activities such as retaliation, extortion, forced buying and selling, and illegal debt collection. suffer abuse.

Cheng Feiran, a senior researcher at Tencent’s Security Platform Department, said that “SMS bombing” had already formed an industry as early as 2005 in the “Little Smart” era. user number) to complete the group sending operation by connecting to PHS, just use the “SMS Group Sending King” on the computer to import the relevant sending target mobile phone number, and then the sending operation can be completed. The cost of this “SMS bombing” method is relatively high. Excluding the host and software costs, the cost of each SMS message is 0.1 yuan, and 10,000 SMS messages cost thousands of yuan. Therefore, this type of SMS sending method is mainly used in the marketing of advertisers.

After more than ten years of development, the “SMS bombing” industry chain has undergone tremendous changes. Black industry practitioners have begun to use the SMS verification service of Internet products to “bomb” victims. When users log in to various websites or APPs, they often need to send verification codes to their mobile phones. The “SMS bombing” hacker aims at this “business opportunity” and collects a large number of normal corporate websites’ sending SMS interfaces (CGI interfaces) by means of crawler means. , integrated into the “bombing” website or “bombing” software for illegal profit.

After the “bombing” website or software issues instructions, a large amount of normal verification code information from these corporate websites will be sent to the designated mobile phone in a short period of time, and even a single website can send multiple verification code information to the same mobile phone number.

SMS bombing technology principle

Since the production cost of “SMS bombing” software is extremely low and it can bring stable profits, more and more black products tend to be transformed into cloud-based products—buying directly on overseas cloud hosts at extremely low prices Cloud service, and then purchase the template of the SMS “bombing” website through the card issuing platform. Among them, the cost of purchasing an overseas cloud host is only 20-30 yuan per month. A “script kid” with a 3-month program development foundation can complete the deployment and launch of a “text bombing” website within 4 hours. The monthly cost is less than 50 yuan, but the illegally obtained income exceeds several thousand yuan. The attractive input-output ratio also allows more “text bombing” black products to participate.

The industrial chain is complete, and the black-produced gangs have enough “bullets”

At present, “text bombing” has become a common means of smuggling revenge. For example, soft violent criminals such as collection use “text bombing” to attack victims and force them to repay; e-commerce platform sellers who receive negative reviews use “text bombing” to retaliate against consumers, etc. Underworld gangs use illegal online platforms to infringe on the legitimate rights and interests of users, promote malicious retaliation, soft violence collection and other behaviors, which seriously affect social stability.

Cheng Feiran, a senior researcher at Tencent’s Security Platform Department, said that “SMS bombing” has formed a relatively complete industrial chain. The operation of “SMS bombing” depends on three groups: technology developers, website/APP operators and users. Among them, technical developers are responsible for analyzing and discovering SMS interfaces that have not taken protective measures, writing codes to call interfaces and commercializing them; website/APP operators are responsible for front-end development, helping users to use and pay conveniently, and even distribute through agents. Wanton sales; users purchase services on the corresponding website/APP and enter the mobile phone number of the “bombed” user to launch an attack by calling the aforementioned SMS interface.

According to the in-depth investigation of such risk software by Tencent Security Platform Department, there are currently more than 3,000 “SMS bombing” websites that can be found on the market, and more than 5,000 SMS interfaces are suspected to be used to implement “SMS bombing”. The types include major Internet companies, operators’ external service ports, and even many government service websites. This will undoubtedly seriously affect the SMS verification code function of the official corporate website, damage the corporate image, and increase the unnecessary expenses of the company.

Advertisement of a “Call to Death” APP on an overseas communication website

Why is “SMS Bombing” Difficult to Govern?

“SMS bombing” will cause negative effects such as blockage of SMS channels, damage to corporate brand image, and malicious consumption of SMS fees, which will bring trouble to users’ mobile communication and normal life. How to break the “text bombing” is undoubtedly an urgent problem to be solved, and the difficulty is closely related to the product form of the Internet.

Most websites and mobile applications require a mobile phone number to obtain a verification code SMS during registration, and use SMS verification to identify whether the mobile phone number belongs to the user. However, there are many security risks hidden behind this verification method. One of the most important ones is that black products use the SMS verification interfaces of various platforms to carry out SMS bombing.

Adding a layer of verification before issuing the verification code can effectively prevent malicious use of black products, but at this time, enterprises also need to bear the risk of user loss, because adding one more action means that the user conversion rate may decrease.

On the other hand, since this kind of “SMS bombing” mode utilizes a large number of websites, it means that the traditional single-line frequency control security strategy is invalid for this kind of utilization. The general integrated short message sending interface of such websites or software will be called on the local machine, so the protection measures will only be useful to the IP of the malicious person who is currently using the website or software, and other different IPs are not restricted. In order to improve the usability of some “SMS bombing” software, the built-in proxy IP in the software will bypass the limitation of the SMS interface, so as to achieve the purpose of sending a large number of SMS messages without restrictions.

It is the best policy to take the initiative to break the “text bombing”

Faced with the inevitable “SMS bombing”, it is necessary to move from passive defense to active governance. The security team of Tencent Guardian Program provides several suggestions for enterprises to prevent “SMS bombing” black production from the source.

The first is to add human-machine verification to the verification code interface used by hackers, such as basic prevention strategies such as graphic verification codes, so as to raise the threshold for malicious use of interfaces by hacker teams and compress the storage space of hackers. For example, Tencent verification code can accurately distinguish trusted, suspicious and malicious users based on multi-dimensional environmental factors of users, and pop up different verification methods, bringing a more refined verification experience.

The second is to create a one-click verification solution for mobile terminals to replace outdated SMS verification codes. For example, the Tencent Cloud number authentication service integrates the unique gateway number acquisition and verification capabilities of the three major operators, automatically identifies the local number through the underlying data gateway and SMS gateway, and verifies user identity safely and quickly without leaking user information. , one-click password-free registration and login.

In addition, Internet companies can also use unified risk control services to selectively attack based on risk control results before issuing SMS verification codes; support QQ, WeChat and other authorized login methods to minimize the risks brought by SMS verification; The sending level of the verification code should be well monitored, and abnormal monitoring should be detected in time.